MidnightBSD

Advisories for soft-xpansion

CVE-2018-18688 MEDIUM

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
foxitsoftware phantompdf *
soft-xpansion perfect_pdf_10 10.0.0.1
qoppa pdf_studio_viewer_2018 2018.0.1
nuance power_pdf_standard 7.0
libreoffice libreoffice 6.1.0.3
code-industry master_pdf_editor 5.1.68
iskysoft pdfelement6 6.8.0.3523
foxitsoftware phantompdf 8.3.9
nuance power_pdf_standard 3.0.0.30
soft-xpansion perfect_pdf_reader 13.0.3
gonitro nitro_pro 11.0.3.173
nuance power_pdf_standard 3.0.0.17
foxitsoftware foxit_reader 9.4
code-industry master_pdf_editor 5.1.24
iskysoft pdf_editor_6 6.7.6.3399
code-industry master_pdf_editor 5.1.12
foxitsoftware foxit_reader 9.2.0
iskysoft pdfelement6 6.8.4.3921
qoppa pdf_studio_viewer_2018 2018.2.0
libreoffice libreoffice 6.1.3.2
qoppa pdf_studio 12.0.7
iskysoft pdf_editor_6 6.4.2.3521
iskysoft pdfelement6 6.7.6.3399
iskysoft pdfelement6 6.7.1.3355
soft-xpansion perfect_pdf_reader 13.1.5
libreoffice libreoffice 6.0.6.2
foxitsoftware foxit_reader 9.1.0
gonitro nitro_reader 5.5.9.2
iskysoft pdf_editor_6 6.6.2.3315
CVE-2018-18689 MEDIUM

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
sodapdf soda_pdf_desktop 10.2.16.1217
soft-xpansion perfect_pdf_10 10.0.0.1
qoppa pdf_studio_viewer_2018 2018.0.1
avanquest pdf_experte_ultimate 9.0.270
sodapdf soda_pdf_desktop 10.2.09
iskysoft pdfelement6 6.8.0.3523
avanquest expert_pdf_ultimate 12.0.20
foxitsoftware foxit_reader 9.3.0.10826
soft-xpansion perfect_pdf_reader 13.0.3
gonitro nitro_pro 11.0.3.173
sodapdf soda_pdf 9.3.17
pdfforge pdf_architect 6.0.37
iskysoft pdf_editor_6 6.7.6.3399
foxitsoftware foxit_reader 9.2.0
iskysoft pdfelement6 6.8.4.3921
qoppa pdf_studio_viewer_2018 2018.2.0
pdf-xchange pdf-xchange_editor 7.0.237.1
qoppa pdf_studio 12.0.7
iskysoft pdf_editor_6 6.4.2.3521
iskysoft pdfelement6 6.7.6.3399
iskysoft pdfelement6 6.7.1.3355
soft-xpansion perfect_pdf_reader 13.1.5
pdf-xchange pdf-xchange_editor 7.0.326
pdfforge pdf_architect 6.1.24.1862
visagesoft expert_pdf_reader 9.0.180
foxitsoftware foxit_reader 9.2.0.9297
tracker-software pdf-xchange_viewer 2.5
foxitsoftware foxit_reader 9.1.0
gonitro nitro_reader 5.5.9.2
iskysoft pdf_editor_6 6.6.2.3315